Despite security concerns, states haven't upgraded voting tech

By Derek B. Johnson

Mar 12, 2018

In September 2015, the Brennan Center for Justice released a report on voting machine security that described how most states' systems were vulnerable to hacking because they relied on outdated hardware and software and had had little ability to conduct accurate post-election auditing.

When the center released an update to that report on March 8, it found that not much has changed.

Headed into the 2018 elections, jurisdictions in 41 states are using voting systems at least a decade out of date, a small improvement from the earlier study in which 44 states reported long-obsolete voting tech. Another modest increase was in the number of states in which election officials said they must replace voting equipment by 2020 -- 33 in 2018, up from 31 in 2015.

Even though election security has received significant attention from the media, security experts and federal, state and local government officials following the 2016 presidential election, the new findings indicate that attention does not necessarily translate to substantive action.

But it's not all bad news, Lawrence Norden, deputy director of the Brennan Center's Democracy Program and an author of both the 2015 and 2018 reports, told FCW, GCN's sibling site.

The report cites the increasing role of federal agencies like the Department of Homeland Security and the Election Assistance Commission as positive post-election developments. Norden and his co-authors say that trend will continue, whether state and local governments like it or not.

However, Norden was surprised the results around voting machines were so consistent across both reports. There are still approximately 40 million registered voters living in counties without paper ballots, including 6.5 million voters in critical swing states like Pennsylvania.

"I would have assumed that we'd continue to keep pace in the years since the 2016 election or maybe even move faster … because of all the attention to security," Norden said. "In fact, much more progress happened before 2016 than has happened since."

However, he noted that voting machine security is just one aspect of the election infrastructure. While policymakers rightly focus on it, it remains one of the more difficult aspects of the election system for hackers to meaningfully manipulate.

"There are a lot easier targets in the election system, whether it's registration system, election-night reporting or tally servers … attacks against those systems are actually probably a lot easier," he said.

President Donald Trump made waves during a March 7 press conference when he said "certainly there was meddling" during the 2016 elections and endorsed more widespread use of paper ballots, something many cybersecurity experts have long called for.

"It's old fashioned, but it's always good to have a paper backup system of voting," said Trump. "It's called paper. Not highly complex computers -- paper, and a lot of states are doing that, they're going to a paper backup."

However, there's been little movement on this front, according to the Brennan Center study. In 2016, 14 states reported using paperless voting machines in at least some of their districts, while five used them statewide. The 2018 update found that just one of those 14 states -- Virginia -- has moved to replace its paperless voting systems.

"While many paperless systems were replaced in the years before the 2016 election, since then, the country has made remarkably little progress -- even despite repeated warnings from intelligence officials and security experts that voter verified paper records are a critical backstop against cyberattacks," write the report's authors.

State election officials continue to cite a lack of dedicated funding to replacing voting machines. Following Trump's comments, Reps. Bennie Thompson (D-Miss.) and Robert Brady (D-Pa.), co-chairs of the Congressional Task Force on Election Security, released a statement expressing appreciation for the White House's endorsement of paper ballots but noted that "replacing state voting systems takes a great deal of time and money -- and many states have neither."

A bipartisan effort in the Senate to include voting cybersecurity measures via an amendment to the Department of Homeland Security authorization bill was withdrawn because of objections from several states. Sens. James Lankford (R-Okla.), Kamala Harris (D-Calif.) and Maggie Hassan (D-N.H.) plan to offer their bill as standalone legislation.

The lack of budget support has forced many state officials to look for alternative resources to update their voting infrastructure. Tech companies like Google and Cloudflare have started offering free 24-hour, year-round support services to states, counties and municipalities to protect election systems from denial-of-service and phishing attacks. Still other election officials have reported scrounging for spare voting machine parts on eBay.

During a January 2018 summit on election security, David Stafford, supervisor of elections for Escambia County, Fla., recommended that states partner with local organizations.

"Look in your own community. If you have a university, chances are there are some portion that are involved in cybersecurity," said Stafford.

Norden said it is too late to make a substantive dent in voting machine replacements or upgrades before the 2018 election. But he noted that there is plenty of time for other policies -- such as instituting post-election audits for the 80 percent of the country that do have paper ballot machines -- that could make a difference in ensuring election integrity.

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.